As one of our customers said to me during the course of our conversation, changing a rule on a Next Generation firewall takes “an act of God”. The procedures that have been instituted inside enterprises, prevent easy changes to firewall policies. Today, organizations are deploying NG firewalls on the internal network to control access and prevent breaches. The solution, is at best, limited. These firewalls cannot detect breaches or stop insider threats. There are three main reasons:

Policies are static and cannot adapt to dynamic threats

Inability to learn and characterize User Behavior

Lack of granularity in the ability to respond to a threat or compromise

First, Next Generation firewalls are very deterministic in designating what is good and what is bad. What we have learned from insider threats and security breaches is that malicious attackers emulate the behavior of legitimate users, often by using compromised credentials. So, while the user may be legitimate, the behavior of someone using those credentials will not be so. This is not very different when an insider decides to misuse their credentials. NG firewalls will ensure the user is legitimate and will allow access if the credentials are legitimate.

Second, while it is possible to get user profiles and create detailed firewall rules, it is not practical. User roles change, their projects change, their groups change, etc. For a firewall administrator to keep up with the changes to ensure security is impractical, if not impossible. Learning, characterizing and gaining a deeper understanding of every user and entity on the network is a requirement to stop the next compromise, and NG firewalls are not built to handle such frequent changes.

Third, when a threat is detected, if the only responses that can be employed are “Allow” or “Block”, then any false positive or legitimate change in behavior can lead to preventing a user from doing his or her job. Hence, it is rare to see “Block” rules within the Intrusion Detection and Prevention modules of NG firewalls. Security administrators don’t want to be fired for blocking the CEO’s network traffic due to a false alert. Threats of unconfirmed severity and confidence need a more graduated response.

So, if you wish to detect and block such insider threats and security breaches, what you need is a Behavioral Firewall. There are three key capabilities in a Behavioral Firewall that overcome the limitations of NG firewalls:

They have the ability to learn user behavior

Policies dynamically evolve to match user behavior

Responses are fine grained so business process is not impacted

Behavioral Firewalls provide visibility into risky users, endpoints, stale or compromised accounts and privileged user behavior. By monitoring and learning the behavior of every user, group and device on the network including when/where they log in, their role, their system privileges, strength of passwords, and more, Behavioral Firewalls can characterize the expected and normal behavior of users and endpoints.

Once such a baseline is generated, then policies are created that can be generated both automatically and manually to determine how to respond to different kinds of threats. For example, if a user accesses a set of network servers from a remote location, which he has not done before, and it is out of the norm for this organization, the system can request a confirmation of identity via 2FA. Or, the security administrator can create a rule that disallows access to new servers from a remote location. Building such a policy gives the security administrator the confidence that when a likely threat is identified, the system will be able to detect and respond to such a threat.

Finally, responding to a threat, especially one of unconfirmed severity, is a gamble. What is required is fine-grain automated response mechanisms, such a 2 Factor Authentication, Notify, Re-authenticate, etc. in addition to normal responses from NG firewalls like Allow and Block. Such granularity can ensure that security is maintained while legitimate users are not preventing from getting their job done.

NG firewalls had a good ten year run and are still good for the network perimeter. But when it comes to protecting the inside of the enterprise perimeter, they lack significant capabilities and it is unclear how they can be redesigned to overcome such limitations.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.